Skip to content
Merged
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion .github/workflows/coveo.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@
generate-coveo-search-token:
name: Generate Coveo Search Tokens
runs-on: ubuntu-latest
permissions:
contents: read
actions: read # for 8398a7/action-slack
strategy:
matrix:
include:
Expand Down Expand Up @@ -69,48 +72,71 @@
name: ${{matrix.env_name}}
path: "./"

- name: Send a notification if token generation step failed
if: ${{ steps.generate-token.outcome == 'failure' }}
uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
with:
status: custom
custom_payload: |
{
username: 'Github',
mention: 'channel',
attachments: [{
title: '[${{ github.event.repository.full_name }}] Coveo Token Generation Failed (${{matrix.env_name}} environment)',
color: 'danger',
fields: [{
title: 'Pipeline URL',
value: '<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.run_id }}>',
short: false
}]
}]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DOCS_INCIDENT }}


push-tokens-to-azure:
name: Push coveo search tokens to Azure
name: Batch push coveo search tokens to Azure
runs-on: ubuntu-latest
needs: generate-coveo-search-token
steps:
- name: Download Coveo search token
uses: actions/download-artifact@v5

- name: View files
run: ls -R

- name: Login to Azure
uses: azure/login@v2
with:
creds: ${{secrets.AZURE_CREDENTIALS_DOCS}}

- name: Retrieve secrets from Keyvault
id: keyvault
uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956
with:
inlineScript: |
secrets_get=(productionHostname previewHostname resourceGroupName cdnProfileName cdnName accountName)
for secret_get in ${secrets_get[@]}
do
value=$(az keyvault secret show --name $secret_get --vault-name ${{ secrets.AZURE_KEY_VAULT_DOCS }} --query value --output tsv)
echo "::add-mask::$value"
echo "$secret_get=$value" >> $GITHUB_OUTPUT
done

- name: Push to Azure container storage
run: |
az storage blob upload-batch \
-s ./ \
-d '$web' \
--account-name ${{steps.keyvault.outputs.accountName}} \
--overwrite \
--content-cache-control "no-store" \
--auth-mode login

az afd endpoint purge \
--resource-group ${{steps.keyvault.outputs.resourceGroupName}} \
--profile-name ${{steps.keyvault.outputs.cdnProfileName}} \
--endpoint-name ${{steps.keyvault.outputs.cdnName}} \
--domains docs.nginx.com docs-dev.nginx.com docs-staging.nginx.com \
--content-paths '/.netlify/functions/*'

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}